Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Fixes 16 Security Vulnerabilities in Patch Tuesday Update

Microsoft plugged a pair of vulnerabilities in Internet Explorer 9 today as part of a sizeable Patch Tuesday update.

Microsoft plugged a pair of vulnerabilities in Internet Explorer 9 today as part of a sizeable Patch Tuesday update.

All totaled, Microsoft fixed 16 security vulnerabilities, including a bug affecting Microsoft XML Core Services that is being exploited in the wild. The patches are spread out across nine bulletins, three of which are rated ‘critical.’ The IE9 bulletin, MS12-044, fixes two bugs that can be exploited to remotely execute code. Though Microsoft said that neither has been seen being targeted in the wild, Rapid7 Security Researcher Marcus Carey told SecurityWeek it is likely that reliable exploits will be available soon.

“Microsoft has estimated that a reliable exploit could be available within 30 days,” he said, “which means they believe it has good potential for remote code execution…We have learned from past experience that when it comes to client-side browser bugs, a lot of effort is spent on actualizing exploits to take advantage of them.”

Attackers have already begun targeting a remote code execution issue affecting XML Core Services. The patch fixes the issue on XML Core Services 3.0, 4.0 and 6.0. This bulletin, MS12-043, is rated ‘Critical’, and should be considered a priority, security experts said.

“If you are paying close attention, you’ll notice that the XML version 5 patch for the bug isn’t shipping today,” opined Andrew Storms, director of security operations at nCircle. “The fix for this version is probably not ready yet, so Microsoft decided to deliver the other patches. So far, all the attacks in the wild utilize XML version 3, so this release, even though not totally complete, seems like a no-brainer.”

 The final critical bulletin, MS12-045, addresses a vulnerability in Microsoft Windows that, like the other critical bugs, can be exploited to remotely execute code. According to Microsoft, the vulnerability exists in the way that Microsoft Data Access Components (MDAC) accesses an object in memory that has been improperly initialized.

“MDAC is something that has been exploited plenty of times in the past including vulnerability CVE-2006-0003, which was leveraged by the vast majority of exploit toolkits,” said Marc Maiffret, CTO of BeyondTrust. “This new MDAC vulnerability looks to be something that also will make its way into exploit toolkits sooner than later given it affects most OS’s and is a straight forward to exploit.”

 The remaining bulletins for this month impact Microsoft Office, Windows, Microsoft Server Software and Microsoft Developer Tools. Each of those six bulletins classified as ‘Important.’

Advertisement. Scroll to continue reading.

In addition to the patches, Microsoft released Security Advisory 2719662, which allows system administrators to disable the Windows Sidebar and Gadgets on supported versions of Windows Vista and Windows 7 with one Fix it click.

“As many of you are aware, Windows 8 will deprecate the Sidebar and Gadgets, and Gadget developers are already shifting their efforts to the online Windows Store,” blogged Yunsun Wee of Microsoft’s Trustworthy Computing group. “Meanwhile, we’ve discovered that some Vista and Win7 gadgets don’t adhere to secure coding practices and should be regarded as causing risk to the systems on which they’re run.”

The company also issued Security Advisory 2728973, which places certain digital certificates in the Untrusted Certificate Store.

“Though we have no indication that those had been compromised or misused in any fashion, as a precautionary measure we’ve revoked them,” Wee blogged. “A subset of those was in addition found to have code signing permissions, which has earned them a place in the Untrusted Certificate Store.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.